Implicit certificate scheme

ABSTRACT

A method of generating a public key in a secure digital communication system, having at least one trusted entity CA and subscriber entities A. For each entity A, the trusted entity selects a unique identity distinguishing the entity A. The trusted entity then generates a public key reconstruction public data of the entity A by mathematically combining public values obtained from respective private values of the trusted entity and the entity A. The unique identity and public key reconstruction public data of the entity A serve as A&#39;s implicit certificate. The trusted entity combines the implicit certificate information with a mathematical function to derive an entity information ƒ and generates a value k A  by binding with ƒ with private values of the trusted entity. The trusted entity transmits the value k A  to the entity to permit A to generate a private key from k A , A&#39;s private value and A&#39;s implicit certificate. The entity A&#39;s public key information may be reconstructed from public information, and A&#39;s implicit certificate.

This application is a continuation of U.S. patent application Ser. No.12/137,276 filed on Jun. 11, 2008 which is a continuation of U.S. patentapplication Ser. No. 10/921,870 filed on Aug. 20, 2004 which is acontinuation of U.S. patent application Ser. No. 09/667,819 filed onSep. 22, 2000, which is a continuation of PCT Application No.PCT/CA99/00244 filed on Mar. 23, 1999 which claims priority fromCanadian Patent Application No. 2,235,359 filed on Apr. 20, 1998 andCanadian Patent Application No. 2,232,936 filed on Mar. 23, 1998, all ofwhich are hereby incorporated by reference.

This invention relates to key distribution schemes for transfer andauthentication of encryption keys.

BACKGROUND OF THE INVENTION

Diffie-Hellman key agreement provided the first practical solution tothe key distribution problem, in cryptographic systems. The keyagreement protocol allowed two parties never having met in advance orshared key material to establish a shared secret by exchanging messagesover an open (unsecured) channel. The security rests on theintractability of the Diffie-Hellman problem and the related problem ofcomputing discrete logarithms.

With the advent of the Internet and such like the requirement forlarge-scale distribution of public keys and public key certificates arebecoming increasingly important. Public-key certificates are a vehicleby which public keys may be stored, distributed or forwarded overunsecured media without danger of undetectable manipulation. Theobjective is to make one parties' public key available to others suchthat its authenticity and validity are verifiable.

A public-key certificate is a data structure consisting of a data partand a signature part. The data part contains cleartext data including asa minimum, public key and a string identifying the party to beassociated therewith. The signature part consists of the digitalsignature of a certification authority (CA) over the data part, therebybinding the entities identity to the specified public key. The CA is atrusted third party whose signature on the certificate vouches for theauthenticity of the public key bound to the subject entity.

Identity-based systems (ID-based system) resemble ordinary public-keysystems, involving a private transformation and a public transformation,but parties do not have explicit public keys as before. Instead, thepublic key is effectively replaced by a party's publicly availableidentity information (e.g. name or network address). Any publiclyavailable information, which uniquely identifies the party and can beundeniably associated with the party, may serve as identity information.

An alternate approach to distributing public keys involves implicitlycertified public keys. Here explicit user public keys exist, but theymust be reconstructed rather than transported by public-key certificatesas in certificate based systems. Thus implicitly certified public keysmay be used as an alternative means for distributing public keys (e.g.Diffie-Hellman keys).

An example of an implicitly certified public key mechanism is known asGunther's implicitly-certified (ID-based) public key method. In thismethod:

-   -   1. A trusted server T selects an appropriate fixed public prime        p and generator α of Z*_(p). T selects a random integer t, with        1≦t≦p−2 and gcd(t, p−1)=1, as its private key, and publishes its        public key u=α^(t) mod p, along with α, p.    -   2. T assigns to each party A a unique name or identifying string        I_(A) and a random integer k_(A) with gcd(k_(A), p−1)=1. T then        computes P_(A)=α^(K) ^(A) mod p. P_(A) is A's KEY reconstruction        public data, allowing other parties to compute (P_(A))^(a)        below.    -   3. Using a suitable hash function h, T solves the following        equation for a:

H(I _(A))≡t·P _(A) +k _(A) a(mod p−1)

-   -   4. T securely transmits to A the pair (r,s)=(P_(A), a), which is        T's ElGamal signature on I_(A). (a is A's private key for        Diffie-Hellman key-agreement)    -   5. Any other party can then reconstruct A's Diffie-Hellman        public key P_(A) ^(a) entirely from publicly available        information (α, I_(A), u, P_(A), p) by computing:

P _(A) ^(a)≡α^(h(I) ^(A) ⁾ u ^(−P) ^(A) mod p

Thus for discrete logarithm problems, signing a certificate needs oneexponentiation operation, but reconstructing the ID-basedimplicitly-verifiable public key needs two exponentiations. It is knownthat exponentiation in the group Z*_(p), and its analog scalarmultiplication of a point in E(F_(q)) is computationally intensive. Forexample an RSA scheme is extremely slow compared to elliptic curvesystems. However despite the resounding efficiency of EC systems overRSA type systems this is still a problem particularly for computingdevices having limited computing power such as “smart cards”, pagers andsuch like.

SUMMARY OF THE INVENTION

The present invention seeks to provide an efficient ID-based implicitcertificate scheme, which provides improved computational speeds overexisting schemes. For convenience, we describe the schemes over Z_(p),however these schemes are equally implementable in elliptic curvecryptosystems.

In accordance with this invention there is provided a method ofgenerating an identity-based public key in a secure digitalcommunication system, having at least one trusted entity CA andsubscriber entities A, the method comprising the steps of:

-   -   (a) for each entity A, the CA selecting a unique identity I_(A)        distinguishing the entity A;    -   (b) generating a public key reconstruction public data γ_(A) of        entity A by mathematically combining a generator of the trusted        party CA with a private value of the entity A, such that the        pair (I_(A), γ_(A)) serves as A's implicit certificate;    -   (c) combining the implicit certificate information (I_(A),        γ_(A)) in accordance with a mathematical function F(γ_(A),        I_(A)) to derive an entity information ƒ,    -   (d) generating a private key a of the entity A by signing the        entity information ƒ and    -   transmitting the private key a to the entity A, whereby the        entity A's public key may be reconstructed from the public        information, the generator γ_(A) and the identity I_(A)        relatively efficiently.    -   In accordance with a further embodiment of the invention there        is provided a public key certificate comprising a plurality of        public keys having different bit strengths and wherein one of        the public keys is an implicitly certified public key.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the present invention will now be described by way ofexample only with reference to the accompanying drawings in which:—

FIG. 1 is a schematic representation of a first system configurationaccording to an embodiment of the present invention; and

FIG. 2 is a schematic representation of a second system configurationaccording to an embodiment in the present invention.

DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT

Referring to FIG. 1, a system with implicitly-certified public keys isshown generally by 10. This system 10 includes a trusted third party CAand at least a pair of first and second correspondents A and Brespectively. The correspondents A and B exchange information over acommunication channel and each includes a cryptographic unit forperforming visual finding/verification and encryption/decryption.

Referring back to FIG. 1, the trusted party CA selects an appropriateprime p with p=tq+1 where q is a large prime and a generator α of orderq. The CA selects a random integer c, with 1≦c≦q−1 as its private key,then computes the public key β=α^(c) mod p and publishes (β,α, p, q).

Scheme 1:

-   -   1. For each party A, the CA choose a unique distinguished name        or identity I_(A) (e.g., name, address, phone number), and a        random integer c_(A) with 1≦c_(A≦q−)1. Then the CA computes        γ_(A)=α^(C) ^(A) mod p. (γ_(A) is the party A's public key        reconstruction public data. The pair (I_(A), γ_(A)) serves as        A's implicit certificate)    -   2. The CA selects a function ƒ=F(I_(A), γ_(A)). For example,        F(γ_(A), I_(A))=γ_(A)+h(I_(A)), or F(γ_(A),        I_(A))=h(γ_(A)+I_(A)) where h is a secure hash function and        solves the following equation for a, which is party A's private        key. If a=0, then the CA chooses another c_(A) and re-solves the        equation.

1=cf+c _(A) a(mod q)

-   -   3. The CA securely sends the triple (γ_(A), a, I_(A)) to A,        which is CA's signature on I_(A). Then        -   α is A's private key;        -   γ_(A) is A's generator; and        -   γ_(A) ^(a) (=α^(cAa)) is A's public key.        -   A publishes (α, I_(A), β, γ_(A), p, q) in the public domain.    -   4. Anyone can obtain party A's (ID-based) implicitly verifiable        public key from the public domain by computing,

γ_(A) ^(a)=αβ^(−ƒ)(mod p),

thus deriving the public key from the above equation, which requiresonly one exponentiation operation.

Although everyone can reconstruct party A's public key from public data,this does not mean that the reconstructed public key γ_(A) ^(a) has beencertified. This scheme is more effective when it is combined with anapplication protocol that shows that party A has complete knowledge ofthe corresponding private key. For example, with the MQV key-agreementscheme or with any signature scheme and particularly with an KCDSA(Korean Certificate based Digital Signature Algorithm). In general, thisimplicit certificate scheme can be used with any scheme, which isrequired to verify the certificate. This may be demons rated byreferring to the Digital Signature Algorithm (DSA) signature scheme.

Suppose Alice has a private key α, generator γ_(A) and publishes (α,I_(A), β, γ_(A), p, q) in public domain. Now Alice wants to sign amessage M using DSA.

Alice does the following:

-   -   1. randomly chooses k, computes r=γ_(A) ^(k)(mod p);    -   2. computes e=sha−1(M);    -   3. computes s=k⁻¹(e+ar) (mod p);    -   4. The signature on M is (r,s).

Verifier does the following:

-   -   1. gets Alice's public data (α, I_(A), p, γ_(A), p, q) and        reconstructs the public key

δ_(A)=γ_(A) ^(a)=αβ^(−ƒ)(mod p);

-   -   2. computes e=sha−1(M);    -   3. computes u₁=es⁻¹(mod q) and u₂=rs⁻¹(mod q);    -   4. computes r′=γ_(A) ^(u) ¹ δ_(A) ^(u) ² mod p;    -   5. if r=r′, the signature is verified. At the same time Alice's        (ID-based) public key is implicitly verified.

The pair (I_(A), γ_(A)) serves as certificate of Alice. Reconstructingthe public key serves as implicit verification when the applicationprotocol results in a valid verification. Recall that obtaining thepublic key needs only one exponentiation operation.

In an alternate embodiment, the scheme can be generalized to mostElGamal signature schemes by modifying the signing equationappropriately. In the following section, we give some examples.

Scheme 2:

The CA uses the signing equation 1=ca+c_(A)ƒ(mod q). The CA securelysends the triple (γ_(A), a, I_(A)) to A, then a is A's private key, β isA's generator and β^(a) is A's public key. A publishes (α, I_(A), β,γ_(A), p, q) in public domain. Anyone can obtain A's (ID-based)implicitly certified public key from the public domain by computing

β^(a)=αγ_(A) ^(−ƒ)(mod p)

For this scheme, each user has the same generator β which is the CA'spublic key.

Scheme 3:

The CA uses the signing equation a=cƒ+CA (mod q). The CA securely sendsthe triple (γ_(A), a, I_(A)) to A, then a is A's private key, α is A'sgenerator and α^(a) is A's public key. A publishes (α, I_(A), β, γ_(A),p, q) in the public domain. Anyone can obtain A's (ID-based) implicitlycertified public key from the public domain by computing

α^(a)=β^(f)γ_(A)(mod p)

For this scheme, each user including the CA has the same generator α.

Scheme 4:

The CA uses the signing equation a≡_(CA)f+c (mod q). The CA securelysends the triple (γ_(A), a, I_(A)) to A, then a is A's private key, α isA's generator and α^(a) is A's public key. A publishes (α, I_(A), β,γ_(A), p, q) in the public domain. Anyone can obtain A's (ID-based)implicitly certified public key from the public domain by computing

α^(a)=γ_(A) ^(ƒ)β(mod p)

For this scheme, each user including CA has same generator α.

In the above schemes the user or party A does not have freedom to chooseits own private key. The following schemes as illustrated in FIG. 2 boththe CA and the user control the user's private key but only the userknows its private key.

Scheme 5′:

A first randomly chooses an integer k and computes α^(k), then sends itto the CA. The CA computes γ_(A)=α^(kC) ^(A) mod p, and solves thefollowing signing equation for k_(A)

1=cf+c _(A) k _(A)(mod q).

Then the CA computes γ_(A) ¹=α^(C) ^(A) mod p and sends the triple(γ_(A) ¹, k_(A), I_(A)) to A. A computes a=k_(A)k⁻¹(mod q) andγ_(A)=(γ_(A) ¹)^(k)(mod p). Then a is A's private key, γ_(A) is A'sgenerator and γ_(A) ^(a) is A's public key. A publishes (α, I_(A), β,γ_(A), p, q) in the public domain. Anyone can obtain A's (ID-based)implicitly certified public key from the public domain by Computing

γ_(A) ^(a)=αβ^(−f)(mod p)

Scheme 6:

-   1. A randomly chooses an integer k and computes β^(k), then sends it    to the CA.-   2. The CA randomly chooses an integer c_(A), computes    γ_(A)=β^(k)α^(c) ^(A) (mod p) and ƒ=F(γ_(A), I_(A)) solves the    signing equation for k_(A) (if k_(A)=0, then choose another c_(A))

1=ck _(A) +c _(A)ƒ(mod q).

-   -   Then CA computers γ_(A) ¹=β^(c) ^(A) ^(c) ⁻¹ (mod p) and sends        the triple (γ_(A) ¹, k_(A), I_(A)) to A.    -   Note: (γ_(A) ¹, k_(A), I_(A)) can be sent by public channel.

-   3. A computes γ_(A)=(γ_(A) ¹)^(k) ⁻¹ α^(k)(mod p), ƒ=F(γ_(A),    I_(A)), and α=k_(A)−kƒ(mod q). (if α=0, 1, then goes back to step    1.). Then checks if β^(a)=αγ_(A) ^(−ƒ). Now α is A's private key, β    is A's generator and β^(a) is A's public key. A publishes (α, I_(A),    β, γ_(A), p, q) in the public domain.

-   4. Anyone can obtain A's (ID-based) implicitly certified public key    from the public domain by computing

β^(a)=αγ_(A) ^(−ƒ)(mod p)

Scheme 7:

A first randomly chooses an integer k and computes α^(k), then sends itto the CA. Now CA computes γ_(A)=α^(k)α^(CA)(mod p), solves the signingequation for k_(A)

k _(A) ≡cf+c _(A)(mod q)

Then the CA computes γ_(A) ¹=(α^(k))^(CA)(mod p) and sends the triple(γ_(A) ¹, k_(A), I_(A)) to A. A computes γ_(A)=(γ_(A) ¹)^(k-1)α^(k)(modp). Then a=k_(A)+k (mod q) is A's private key, α is A's generator andα^(a) is A's public key. A publishes (α, I_(A), β, γ_(A), p, q) inpublic domain. Anyone can obtain A's (ID-based) implicitly certifiedpublic key from the public domain by computing

α^(a)=β^(f)γ_(A)(mod p)

Scheme 8:

-   1. A randomly chooses an integer k and computes α^(k), then sends it    to the CA.-   2. The CA randomly chooses an integer c_(A), computes    γ_(A)=α^(k)α^(c) ^(A) (mod p) and ƒ=F(γ_(A), I_(A)), computes k_(A)    (if k_(A)=0, then choose another c_(A))

k _(A) =C _(A) ƒ+c(mod q).

-   -   Then CA computers γ_(A) ¹=(α^(k))^(c) ^(A) (mod p) and sends the        triple (γ_(A) ¹, k_(A), I_(A)) to A.    -   Note: (γ_(A) ¹, k_(A), I_(A)) can be sent by public channel.

-   3. A computes γ_(A)=(γ_(A) ¹)^(k) ⁻¹ α^(k)(mod p), ƒ=F(γ_(A),    I_(A)), and α=k_(A)+kƒ(mod q). (if α=0, 1, then goes back to step    1.). Then checks if α^(a)=γ_(A) ^(ƒ)β. Now α is A's private key, α    is A's generator and α^(a) is A's public key. A publishes (α, I_(A),    β, γ_(A), p, q) in public domain.

-   4. Anyone can obtain A's (ID-based) implicitly certified public key    from the public domain by computing

α^(a)=γ_(A) ^(ƒ)β(mod p)

In the above schemes 5-8, anyone can get some partial information ofuser A's private key α since k_(A) is sent by public channel. To hidethis information and to speed up computation of above schemes, weintroduce DES encryption to get following scheme 9-12 by modifyingscheme 5-8. The advantages in scheme 9-12 is that user can compute Keasily since β is fixed.

Scheme 9:

-   1. A randomly chooses an integer k and computes α_(k), then sends it    to CA.-   2. CA randomly chooses an integer C_(A), computes γ_(A)=α^(kc) ^(A)    (mod p) and ƒ=F (γA, β, I_(A)), solves the signing equation for    k_(A)(if k_(A)=0, then choose another c_(A)).

1=cƒ+c _(A) k _(A)(mod q)

Next CA computes K=(α^(k))^(c)(mod p) and k _(A)=DES_(K)(k_(A)), thensends the triple (γ_(A), k _(A), I_(A)) to A.

γ_(A)

-   3. A computes K=β^(k)(mod p), k_(A)=DES_(k) ( k _(A)), and    α=k_(A)k⁻¹(mod q). (if a=1, then goes back to step 1). Then checks    if γ_(A) ^(a)=αβ^(−ƒ). Now a is A's private key, γ_(A) is A's    generator and γ_(A) ^(a) is A's public key. A publishes (α, I_(A),    β, γ_(A), p, q) in public domain.-   4. Anyone can obtain A's (ID-based) implicitly certified public key    from the public domain by computing

γ_(A) ^(a)=αβ^(−ƒ)(mod p)

Scheme 10:

-   1. A randomly chooses an integer k and computes β^(k), then sends it    to CA.-   2. CA randomly chooses an integer C_(A), computes γ_(A)=β^(k)α^(C)    _(A)(mod p) and ƒ=F(γ_(A), β, I_(A)), solves the signing equation    for k_(A) (if k_(A)=0, then choose another C_(A).

1=ck _(A) +c _(A)ƒ(mod q)

Next CA computes K=(β^(k))^(c) ^(α) ^(c) ⁻¹ =α^(kc) ^(A) (mod p) and k_(A)=DES_(K)(k_(A)), then sends the triple (γ_(A) k _(A), I_(A)) to A.Note: (γ_(A) k _(A), I_(A)) can be sent by public channel.

-   3. A computes K=(γ_(A)/β^(k))^(k)=α^(kc) ^(A) (mod p),    k_(A)=DES_(k)( k _(A)), ƒ=F(γ_(A), β, I_(A)) and computes    α=k_(A)−kƒ(mod q). (if a=o,1, then goes back to step 1). Then checks    if β^(a)=αγ_(A) ^(−ƒ). Now a is A's private key, β is A's generator    and β^(a) is A's public key. A publishes (α, I_(A), β, γ_(A), p, q)    in public domain.-   4. Anyone can obtain A's (ID-based) implicitly certified public key    from the public domain by computing

β^(a)=αγ_(A) ^(−ƒ)(mod p)

Scheme 11

-   1. A randomly chooses an integer k and computes α^(k), then sends it    to CA.-   2. CA randomly chooses an integer C_(A), computes γ_(A)=α^(k)α^(c)    ^(A) (mod p) and ƒ=F (γ_(A), β, I_(A)) computes k_(A) (if k_(A)=0,    then choose another c_(A))

k _(A) =cƒ+c _(A)(mod q).

-   -   Next CA computes K=(α^(k))^(c)(mod p) and k _(A)=DES_(K)(k_(A)),        then sends the triple (γ_(A), k _(A), I_(A)) to A.    -   Note: (γ_(A), k _(A), I_(A)) can be sent by public channel.

-   3. A computes K=β^(k)(mod p), k_(A)=DES_(K)( k _(A)), and    α=k_(A)+k(mod q) (if a=0, 1, then goes back to step 1). Then checks    if α^(a)=β^(ƒ)γ_(A). Now α is A's private key, α is A's generator    and α^(a) is A's public key. A publishes (α, I_(A), β, γ_(A), p, q)    in public domain.

-   4. Anyone can obtain A's (ID-based) implicitly certified public key    from the public domain by computing α^(a)=γ_(A) ^(ƒ)(mod p)

Scheme 12:

-   1. A randomly chooses an integer k and computes α^(k), then sends it    to CA.-   2. CA randomly chooses an integer C_(A), computes γ_(A)=α^(k)α^(c)    ^(A) (mod p) and ƒ=F(γ_(A), β, I_(A)) computes k_(A) (if k_(A)=0,    then choose another c_(A)) k_(A)=c_(A)ƒ+c(mod q)    Next CA computes K=(α^(k))^(c)(mod p) and k _(A)=DES_(k)(k_(A)),    then sends the triple (γ_(A), k _(A), I_(A)) to A.    Note: (γ_(A), k _(A), I_(A)) can be sent by public channel.-   3. A computes K=β^(k)(mod p), k_(A)=DES_(k)( k _(A)), ƒ=F(γ_(A), β,    I_(A)), and a=k_(A)+kƒ(mod q). (if a=0, 1, then goes back to step    1). Then checks if α^(a)=γ_(A) ^(ƒ)β. Now a is A's private key, α is    A's generator and α^(a) is A's public key. A publishes (α, I_(A), β,    γ_(A), p, q). Anyone can obtain A's (ID-based) implicitly certified    public key from the public domain by computing

α^(a)=γ_(A) ^(ƒ)β(mod p)

The advantages for schemes 9-12 are that user A can compute K easilysince β is fixed and that k_(A) is encrypted such that no other peoplecan know it.Note that for schemes 5-12, adding an option parameter OP to thefunction F(γ_(A), β, I_(A)) (i.e., ƒ=F(γ_(A), β, I_(A), OP) will makethe schemes more useful. For example, OP=α^(a) ^(E) , where a_(E) isuser A's private encryption key and α^(a) ^(E) is user A's publicencryption key. Following scheme 15 is a modification of scheme 7.Schemes 5-12 can be modified in the same way. The schemes 1-4 can alsobe modified in the same way.

Scheme 13:

-   1. A randomly chooses an integer k and computes α^(k), then sends it    to CA.-   2. CA randomly chooses an integer c_(A), computes γ_(A)=α^(k)α^(c)    ^(A) (mod p) and ƒ=F(γ_(A), I_(A), OP), computes k_(A) (if k_(A)=0,    then choose another c_(A))

k _(A) ≡cƒ+c _(A)(mod q).

-   -   Next CA computers K=H((α^(k))^(c)) and k _(A)=DES_(K)(k_(A)),        then sends the triple (ƒ, k _(A), I_(A)) to A.

-   3. A computes K=H(β^(k)), k_(A)=DES_(K)( k _(A)), and a=k_(A)+k    (mod q) (if a=0, 1, then goes back to step 1.) Then computes    γ_(A)=α^(a)β^(−ƒ)(mod p) and checks if ƒ=F(γ_(A), I_(A), OP). Now a    is A's private key, α is A's generator and α^(a) is A's public key.    A publishes (α, I_(A), β, γ_(A), p, q) in public domain.

-   4. Anyone can obtain A's (ID-based) implicitly certified public key    from the public domain by computing

α^(a)=β^(ƒ)γ_(A)(mod p)

Furthermore we can reduce the bandwidth by following scheme 14.

Scheme 14:

-   1. A randomly chooses an integer k and computes α^(k), then sends it    to CA.-   2. CA randomly chooses an integer c_(A), computes γ_(A)=α^(k)α^(c)    ^(A) (mod p) and set {circumflex over (γ)}_(A) as the first 80 least    significant bits of γ_(A). Then computes ƒ=F({circumflex over    (γ)}_(A), I_(A), OP) and k_(A) (if k_(A)=0, then choose another    c_(A))

k _(A) ≡cƒ+c _(A)(mod q).

-   -   Next CA computers K=(α^(k))^(c)(mod p) and k        _(A)=DES_(K)(k_(A)), then sends the triple ({circumflex over        (γ)}_(A), k _(A), I_(A)) to A.    -   Note: ({circumflex over (γ)}_(A), k _(A), I_(A)) can be sent by        public channel.

-   3. A computes K=β^(k)(mod p), k_(A)=DES_(K)( k _(A)), and a=k_(A)+k    (mod q) (if a=0, 1, then goes back to step 1.) Then computes    ƒ=F({circumflex over (γ)}_(A), β, I_(A)), γ_(A)=α^(a)β^(−ƒ)(mod p)    and checks if the first 80 least significant bits of γ_(A) is    {circumflex over (γ)}_(A). Now a is A's private key, α is A's    generator and α^(a) is A's public key. A publishes (α, I_(A), β,    γ_(A), p, q) in public domain.

-   4. Anyone can obtain A's (ID-based) implicitly certified public key    from the public domain by computing

α^(a)=β^(ƒ)γ_(A)(mod p)

The security level of scheme 5.c is not as other schemes we discussbefore. Scheme 5.c only has 80 bit security. But it is OK for practicalapplication Now. We can extend the first 80 least significant bits tothe half least significant bits of γ_(A).The implicit certificate can be used to certify some other usefulinformation by including the information in the option parameter OP. Forexample OP=α^(a) ^(E) ∥OP₂, where a_(E) is user A's another private keyand α^(a) ^(E) is the corresponding public key. Following scheme 15 is amodification of scheme 7. Other schemes can be modified in the same way.

Scheme 15:

-   1. A randomly chooses an integer a_(E) and computes α^(a) ^(E) .-   2. A randomly chooses an integer k and computes α^(k), then sends    α^(k) and α^(a) ^(E) to CA.-   3. CA randomly chooses an integer c_(A), computes γ_(A)=α^(k)α^(c)    ^(A) (mod p) and ƒ=F(γ_(A), β, I_(A), α^(a) ^(E) ). (for example,    ƒ=F(γ_(A), β, I_(A), α^(a) ^(E) )=h(γ_(A)∥β∥I_(A)∥α^(a) ^(E) ))    computes k_(A) (if k_(A)=0, then choose another C_(A))

k _(A) =cƒ+cA(mod q)

Then CA computes γ_(A) ¹=(α^(k))^(c) ^(A) (mod p) and sends the triple(γ_(A) ¹, k_(A), I_(A)) to A.Note: (γ_(A) ¹, k_(A), I_(A)) can be sent by public channel.

-   4. A computes a=k_(A)+k(mod q). (if a=0, 1, then goes back to    step 1) and computes γ_(A)=γ_(A) ¹)^(k) ⁻¹ α^(k)(mod p). Then checks    if α^(a)=β^(ƒ)γ_(A). Now a is A's private signing key, α is A's    generator and α^(a) is A's public signing key, a_(E) is A's private    encryption key and α^(a) ^(E) is A's public encryption key. A    publishes ((α, α^(a) ^(E) , I_(A), β, γ_(A), p, q) in public domain.-   5. Anyone can obtain A's (ID-based) implicitly certified public key    from the public domain by computing

α^(a)=β^(ƒ)γ_(A)(mod p)

Notes: (for scheme 13-15)

-   1. The identity I_(A) may be chosen either by CA or by entity A-   2. CA should authenticate the entity A. It can be done by the method    described in the note 2 of scheme 11.-   3. (ƒ, k _(A), I_(A)) or ({circumflex over (γ)}_(A), k _(A), I_(A))    or (γ_(A) ¹, k_(A), I_(A)) can be sent by public channel.

In our schemes, (α, γ_(A)) is CA's signature on A's ID I_(A), it wassupposed to be known by public. But now, only user A knows the a. Sowhen we use these schemes, we should make sure that in applicationprotocol, user A knows his/her own private key. In other words, theapplication protocol must guarantee that A uses his/her private key inthe computation.

The security of the new scheme depends on the signing equations. Forexample, in scheme 1, the signing equation is

1=cƒ+c _(A) a(mod q).  (1)

We are going to show that for some choice of the one way functionF(γ_(A), I_(A)), the new scheme 1 is equivalent to DSA.

Let's consider CA using DSA signing equation to sign A's identity I_(A).First CA randomly choose a c_(A) and compute γ_(A)=α^(cA) mod p, then CAuses a secure hash function h to computer h(I_(A)), finally CA solvesfollowing equation for s.

h(I _(A))≡cγ _(A) +c _(A) s(mod q).  (2)

Now (γ_(A), s) is CA's signature on I_(A).

Multiply equation (2) by h(I_(A))⁻¹ we got

1≡cγ _(A) h(I _(A))⁻¹ +c _(A) sh(I _(A))⁻¹(mod q)

Let F(γ_(A), I_(A))=γ_(A)h(I_(A))⁻¹ and replace sh(I_(A))⁻¹ by a inabove equation we got the equation (1). Obviously, equation (2) isequivalent to equation (1) if F(γ_(A), I_(A))=γ_(A)k(I_(A))⁻¹. Thatmeans, if anyone can break the scheme using the signing equation (1),then he/she can break the scheme using the signing equation (2) which isDSA scheme.Heuristic arguments suggest our new schemes are secure for suitablechoice of F(γ_(A), I_(A)), where F(γ_(A), I_(A))=γ_(A) h(I_(A)) orF(γ_(A), I_(A))=h(γ_(A), I_(A)). Note F(γ_(A), I_(A)) can be some otherformat, for example when I_(A) is small, say 20 bits, but q is more than180 bits, then we can use F(γ_(A), I_(A))=γ_(A)+I_(A). A disadvantage ofthe new schemes is all users and CA use the same field size. Howeverthis is the way that all ID-based implicitly certified public keyschemes work, for example, Girault's RSA based Diffie-Hellman public keyagreement scheme.

A further set of schemes may also be described as follows:

System setup: A trusted party CA selects an appropriate prime p withp=tq+1 where q is a large prime and a generator α of order q. CA selectsa random integer c, with 1<c<q as its private key, computes the publickey β=α^(c) mod p and publishes (β, α, p, q). Then CA chooses a specialcryptographic function ƒ=F(γ_(A), I_(A), OP) (ƒ{0,1}*→{1, 2, . . .(q−1)}) such that with this function, the signature scheme which used toproduce implicit certificate is secure, where OP represents some optionparameters that user may concern (such as date, or β the CA's publickey). For example, let h be a secure hash function, f can be one offollowing format

-   -   1. F(γ_(A), I_(A), OP)=γ_(A)+β+h(I_(A))    -   2. F(γ_(A), I_(A), OP)=h(γ_(A) ∥β∥I_(A))    -   3. F(γ_(A), I_(A), OP)=γ_(A)+β+I_(A) where I_(A) has some        pattern (or when I_(A) is small, say 20 bits, and q is more than        180 bits)    -   4. F(γ_(A), I_(A), OP)=γ_(A)+h(I_(A))    -   5. F(γ_(A), I_(A), OP)=h(γ_(A)∥I_(A))    -   6. F(γ_(A), I_(A), OP)=γ_(A)+I_(A) where I_(A) has some pattern        (or when I_(A) is small, say 20 bits, and q is more than 180        bits)    -   7. It is very easy to change the parameters a little bit to get        a secure signature scheme from a given secure signature scheme.        So F(γ_(A), I_(A), OP) can be any other format that guarantee        the signature scheme which used to produce implicit certificate        is secure. Note that by suitable choosing F(γ_(A), I_(A), OP),        Any Elgamal-like signature scheme we know so far is equivalent        to one of the 4 families schemes we proposed in this paper if it        is used as implicit certificate scheme after modification. But        our proposed schemes have the most efficiency.

Note: the above system setup will be assumed in the following schemes.

Scheme 1.a:

-   -   1. For each entity A, CA chooses a unique distinguished name or        identity I_(A) (e.g., name, address, phone number), and a random        integer c_(A) with 1<c_(A)<q. Then CA computes γ_(A)=α^(c) ^(A)        mod p. (γ_(A) is A's public key reconstruction public data.        (I_(A), γ_(A)) serves as A's implicit certificate)    -   2. CA computes ƒ=F(γ_(A), I_(A), OP) and solves the following        equation for a (if a=0, 1, c, c_(A) ⁻¹c, then chooses another        c_(A) and re-solve the equation).

1=cƒ+c _(A) a(mod q).

-   -   3. CA securely sends the triple (γ_(A), a, I_(A)) to A, which is        CA's signature on I_(A). Then a is A's private key, γ_(A) is A's        generator and γ_(A) ^(a) (=α^(c) ^(A) ^(a)) is A's public key. A        publishes (α, I_(A), β, γ_(A), p, q) in public domain.    -   4. Anyone can obtain A's (ID-based) implicitly verified public        key from the public domain by computing

γ_(A) ^(a)=αβ^(−ƒ)(mod p)

Note:

-   -   1. In step 1, The identity I_(A) may be chosen by entity A.    -   2. In step 2, we exclude a=0, 1, since in this case any one can        easily knowing A's private key. Especially when a=0, c_(A) ⁻¹c,        any one can compute CA's private key c from 1=cƒ(mod q).    -   3. For this scheme, each user has different system generator        γ_(A).

Scheme 1.b:

-   -   1. For each entity A, CA chooses a unique distinguished name or        identity I_(A) (e.g., name, address, phone number), and a random        integer c_(A) with 1<c_(A)<q. Then CA computes γ_(A)=α^(c) ^(A)        mod p. (γ_(A) is A's public key reconstruction public data.        (I_(A), γ_(A)) serves as A's implicit certificate)    -   2. CA computes ƒ=F(γ_(A), I_(A), OP) and solves the following        equation for a (if a=0, 1,c, then chooses another c_(A) and        re-solve the equation).

1≡ca+c _(A)ƒ(mod q).

-   -   3. CA securely sends the triple (γ_(A), a, I_(A)) to A, which is        CA's signature on I_(A). Then a is A's private key, β is A's        generator and β^(a) is A's public key. A publishes (α, I_(A), β,        γ_(A), p, q) in public domain.    -   4. Anyone can obtain A's (ID-based) implicitly verified public        key from the public domain by computing

β^(a)=αγ_(A) ^(−ƒ)(mod p)

Note:

-   -   1. In step 1, The identity I_(A) may be chosen by entity A.    -   2. In step 2, we exclude a=0, 1, since in this case any one can        easily knowing A's private key. when a=0, the certificate does        not involve to CA.    -   3. For this scheme, each user has same system generator β.

Scheme 1.c:

-   -   1. For each entity A, CA chooses a unique distinguished name or        identity I_(A) (e.g., name, address, phone number), and a random        integer c_(A) with 1<c_(A)<q. Then CA computes γ_(A)=α^(c) ^(A)        mod p. (γ_(A) is A's public key reconstruction public data.        (I_(A), γ_(A)) serves as A's implicit certificate)    -   2. CA computes ƒ=F(γ_(A), I_(A), OP) and solves the following        equation for a (if a=0, 1 or c, then chooses another c_(A) and        re-solve the equation).

a≡cƒ+c _(A)(mod q).

-   -   3. CA securely sends the triple (γ_(a), a, I_(A)) to A, which is        CA's signature on I_(A). Then a is A's private key, α is A's        generator and α^(a) is A's public key. A publishes (α, I_(A), β,        γ_(A), p, q) in public domain.    -   4. Anyone can obtain A's (ID-based) implicitly verified public        key from the public domain by computing

α^(a)=β^(ƒ)γ_(A)(mod p)

Note:

-   -   1. In step 1, The identity I_(A) may be chosen by entity A.    -   2. In step 2, we exclude a=0, 1, since in this case any one can        easily knowing A's private key.    -   3. For this scheme, each user has same system generator α.

Scheme 1.d:

-   -   1. For each entity A, CA chooses a unique distinguished name or        identity I_(A) (e.g., name, address, phone number), and a random        integer c_(A) with 1<c_(A)<q. Then CA computes γ_(A)=α^(c) ^(A)        mod p. (γ_(A) is A's public key reconstruction public data.        (I_(A), γ_(A)) serves as A's implicit certificate)    -   2. CA computes ƒ=F(γ_(A), I_(A), OP) and solves the following        equation for a (if a=0, 1 or c, then chooses another c_(A) and        re-solve the equation).

a≡c _(A) ƒ+c(mod q).

-   -   3. CA securely sends the triple (γ_(A), a, I_(A)) to A, which is        CA's signature on I_(A). Then a is A's private key, α is A's        generator and α^(a) is A's public key. A publishes (α, γ_(A), β,        γ_(A), p, q) in public domain.    -   4. Anyone can obtain A's (ID-based) implicitly verified public        key from the public domain by computing

α^(a)=γ_(A) ^(ƒ)β(mod p)

Note:

-   -   1. In step 1, The identity I_(A) may be chosen by entity A.    -   2. In step 2, we exclude a=0, 1, since in this case any one can        easily knowing A's private key.    -   3. For this scheme, each user has same system generator α.        Although everyone can reconstruct user A's public key from        public data, this does not mean that the reconstructed public        key has been certified. To explicitly verify the certificate, we        need to know the a. Once we know the a, the verification process        become to verify CA's signature on I_(A). For example, In scheme        1.a, if verifier computes αβ^(−ƒ) and user A computes γ_(A) ^(a)        using a, then they can verify the certificate together. But        verifier must make sure that user A indeed knows a. So        reconstructing public key serves as an implicit verification        only if it combines with an application protocol that shows user        A has a complete knowledge of the corresponding private key. In        general, the implicit certificate scheme can be used with any        public key scheme which needs to authenticate the subject entity        and the public key.        Let's demonstrate it by using DSA signature scheme as implicit        certified public key system and scheme 1.a as implicit        certificate scheme.        Suppose Alice has private key a, generator γ_(A) and publishes        (α, I_(A), β, γ_(A), p, q) in public domain. Now Alice wants to        sign a message M using DSA.        Alice does following:

1. randomly chooses k, computes r=γ_(A) ^(x)(mod p).

2. computes e=sha−1(M).

3. computes s=x⁻¹(e+ar)(mod q)

4. The signature on M is (r,s).

Verifier does following

-   -   1. gets Alice's public data (α, I_(A), β, γ_(A), p, q) and        computes ƒ and reconstructs the public key

β_(A)=γ^(a) _(A)=αβ^(−ƒ)(mod p)

-   -   2. computes e=sha−1(M).    -   3. computes u₁=es⁻¹(mod q) and u₂=rs⁻¹(mod q)    -   4. computes r′=γ_(A) ^(u) ¹ δ_(A) ^(u) ² (mod p)    -   5. if r=r′, the signature is verified. At same time Alice's        (ID-bases) public key is implicitly verified.

The pair (I_(A), γ_(A)) serves as certificate of Alice. For DSA, we knowthat it is very hard to forge Alice's signature without knowing a. Thenreconstructing the public key serves as implicitly verification when theapplication protocol ends up with valid. Recall that obtaining thepublic key needs only one exponentiation operation. For this reason, wesay that verifying the implicit certificate needs one exponentiationoperation.

The following implicit certificate schemes may be derived by modifyingthe schemes above such that CA and entity both control the entity'sprivate key but only the subject entity knows his/her private key.

In this section we need another system parameter H(*), where H(*) is ancryptographic function which may be a secure hash function or one wayfunction or identity map.

Scheme 2.a:

-   1. A randomly chooses an integer k and computes α^(k), then sends it    to CA.-   2. CA randomly chooses an integer c_(A), computes γ_(A)=α^(kc) ^(A)    (mod p) and ƒ=F(γ_(A), I_(A), OP), solves the signing equation for    k_(A) (if k_(A)=0 or c, then chooses another c_(A))

1=cƒ+c _(A) k _(A)(mod q).

-   -   Then CA computers γ_(A) ¹=α^(c) ^(A) (mod p) and sends the        triple (γ_(A) ¹, k_(A), I_(A)) to A.

-   3. A computes a=k_(A)k⁻¹(mod q). (if a=1, then goes back to step 1.)    and computes γ_(A)=(γ_(A) ¹)^(k)(mod p). Then checks if γ_(A)    ^(a)=αβ^(−ƒ). Now a is A's private key, γ_(A) is A's generator and    γ_(A) ^(a) is A's public key. A publishes (α, I_(A), β, γ_(A), p, q)    in public domain.

-   4. Anyone can obtain A's (ID-based) implicitly certified public key    from the public domain by computing

γ_(A) ^(a)=αβ^(−ƒ)(mod p)

Scheme 2.b:

-   5. A randomly chooses an integer k and computes β^(k), then sends it    to CA.-   6. CA randomly chooses an integer c_(A), computes γ_(A)=β^(k)α^(c)    ^(A) (mod p) and ƒ=F(γ_(A), I_(A), OP), solves the signing equation    for k_(A) (if k_(A)=0, c, then chooses another C_(A))

1=ck _(A) +c _(A)ƒ(mod q).

-   -   Then CA computers γ_(A)=(β^(k))^(c) ^(A) ^(c) ⁻¹ (mod p) and        sends the triple (γ_(a) ¹, k_(A), I_(A)) to A.

-   7. A computes γ_(A)=(γ_(A) ¹)^(k) ⁻¹ β^(k)(mod p), ƒ=F(γ_(A), I_(A),    OP), and a=k_(A)−kƒ(mod q). (if a=0, 1, then goes back to step 1.).    Then checks if β^(a)=αγ_(A) ^(−ƒ). Now a is A's private key, β is    A's generator and β^(a) is A's public key. A publishes (α, I_(A), β,    γ_(A) p, q) in public domain.

-   8. Anyone can obtain A's (ID-based) implicitly certified public key    from the public domain by computing

β^(a)=αγ_(A) ^(−ƒ)(mod p)

Scheme 2.c:

-   1. A randomly chooses an integer k and computes α^(k), then sends it    to CA.-   2. CA randomly chooses an integer c_(A), computes γ_(A)=α^(a)α^(c)    ^(A) (mod p) and ƒ=F(γ_(A), I_(A), OP), computes k_(A) (if k_(A)=c,    then chooses another c_(A))

k _(A) ≡cƒ+c _(A)(mod q).

-   -   Then CA computers γ_(A) ¹=(α^(k))^(c) ^(A) (mod p) and sends the        triple (γ_(A) ¹, k_(A), I_(A)) to A.

-   3. A computes a=k_(A)+k(mod q). (if a=0, 1, then goes back to step    1.) and computes γ_(A)=(γ_(A) ¹)^(k) ⁻¹ α^(k)(mod p). Then checks if    α^(a)=β^(ƒ)γ_(A). Now a is A's private key, α is A's generator and    α^(a) is A's public key. A publishes (α, I_(A), β, γ_(A) p, q) in    public domain.

-   4. Anyone can obtain A's (ID-based) implicitly certified public key    from the public domain by computing

α^(a)=β^(ƒ)γ_(A)(mod p)

Scheme 2.d:

-   1. A randomly chooses an integer k and computes α^(k), then sends it    to CA.-   2. CA randomly chooses an integer c_(A), computes γ_(A)=α^(k)α^(c)    ^(A) (mod p) and ƒ=F(γ_(A), I_(A), OP), computes k_(A) (if    k_(A)=c_(A), then chooses another c_(A))

k _(A) ≡c _(A) ƒ+c(mod q).

-   -   Then CA computers γ_(A) ¹=(α^(k))^(c) ^(A) (mod p) and sends the        triple (γ_(A) ¹, k_(A), I_(A)) to A.

-   3. A computes γ_(A)=(γ_(A) ¹)^(k) ⁻¹ α^(k)(mod p), ƒ=F(γ_(A), I_(A),    OP), and a=k_(A)+kƒ(mod q). (if a=0, 1, then goes back to step 1.).    Then checks if α^(a)=γ_(A) ^(ƒ)β. Now a is A's private key, α is A's    generator and α^(a) is A's public key. A publishes (α, I_(A), β,    γ_(A), p, q) in public domain.

-   4. Anyone can obtain A's (ID-based) implicitly certified public key    from the public domain by computing

α^(a)=γ_(A) ^(ƒ)β(mod p)

Notes: (for Scheme 2.a, 2.b, 2.c, 2.d)

-   -   1. The identity I_(A) may be chosen either by CA or by entity A    -   2. CA should authenticate the entity A. It can be done either by        presence in front of CA or by secure channel or by voice (for        example, on the phone) or by following method: In step 2,        instead of sending the triple (γ_(A) ¹, k_(A), I_(A)) to A, CA        first sends γ_(A) ¹ to A. A computes γ_(A), set K=H(γ_(A)),        encrypts the authentication information A_(A1) of A (such as        VISA information) by DES (or other symmetric key system) and        sends DES_(K)(A_(A1)) to CA. CA decrypts the DES_(K)(A_(A1)) to        get A_(A1). After checks the validity of A_(A1), CA then sends        (k_(A), I_(A)) to A.    -   3. (γ_(A) ¹, k_(A), I_(A)) can be sent by public channel.        In above scheme 2.a-2.d, The implicit certificate schemes are        finished by the subject entity and the CA. Each scheme is        essentially divided into two part: key-exchange part and        signature part. One function of the key exchange part is to        transmit implicit certificate information from CA to A by public        channel (more discuss will be given in section 6). To speed up        computation of above schemes, we can modify the key exchange        part. Following scheme 3.a-3.d by modifying scheme 2.a-2.d. The        advantages in scheme 3.a-3.d is that user A can compute K before        he get respond from the CA since β is fixed. This property is        good especially for the online case.

Scheme 3.a:

-   1. A randomly chooses an integer k and computes α^(k), then sends it    to CA.-   2. CA randomly chooses an integer c_(A), computes γ_(A)=α^(kc) ^(A)    (mod p) and ƒ=F(γ_(A), I_(A), OP), solves the signing equation for    k_(A) (if k_(A)=0, then choose another c_(A))

1=cƒ+c _(A) k _(A)(mod q).

-   -   Next CA computers K=H((α^(k))^(c)) and k _(A)=DES_(K)(k_(A)),        then sends the triple (γ_(A), k _(A), I_(A)) to A.

-   3. A computes K=H(β^(k)), k_(A)=DES_(K)( k _(A)), and a=k_(A)k⁻¹(mod    q). (if a=1, then goes back to step 1.). Then checks if γ_(A)    ^(a)=αβ^(−ƒ). Now a is A's private key, γ_(A) is A's generator and    γ_(A) ^(a) is A's public key. A publishes (α, I_(A), β, γ_(A), p, q)    in public domain.

-   4. Anyone can obtain A's (ID-based) implicitly certified public key    from the public domain by computing

γ_(A) ^(a)=αβ^(−ƒ)(mod p)

Scheme 3.b:

-   1. A randomly chooses an integer k and computes β^(k), then sends it    to CA.-   2. CA randomly chooses an integer c_(A), computes γ_(A)=β^(k)α^(c)    ^(A) (mod p) and ƒ=F(γ_(A), I_(A), OP), solves the signing equation    for k_(A) (if k_(A)=0, then choose another c_(A))

1=ck _(A) +c _(A)ƒ(mod q).

-   -   Next CA computers K=H((β^(k))^(c) ^(A) ^(c) ⁻¹ )=H(α^(kc) ^(A) )        and k _(A)=DES_(K)(k_(A)), then sends the triple (γ_(A), k _(A),        I_(A)) to A.

-   3. A computes K=H((γ_(A)/β^(k))^(k))=H(α^(kc) ^(A) ), k_(A)=DES_(K)(    k _(A)), ƒ=F(γ_(A), I_(A), OP) and computes a=k_(A)−kƒ(mod q). (if    a=0, 1, then goes back to step 1.). Then checks if β^(a)=αγ_(A)    ^(−ƒ). Now a is A's private key, β is A's generator and β_(a) is A's    public key. A publishes (α, I_(A), β, γ_(A), p, q) in public domain.

-   4. Anyone can obtain A's (ID-based) implicitly certified public key    from the public domain by computing

β^(a)=αγ_(A) ^(−ƒ)(mod p)

Note: (for Scheme 3.b)

-   -   1. The identity I_(A) may be chosen either by CA or by entity A    -   2. CA should authenticate the entity A. It can be done either by        presence in front of CA or by secure channel or by voice (for        example, on the phone) or by following method: In step 2,        instead of sending the triple (γ_(A), k _(A), I_(A)) to A, CA        first sends γ_(A) to A. A computes        K=H((γ_(A)/β^(k))^(k))=H(α^(kc) ^(A) ), encrypts the        authentication information A_(A1) of A (such as VISA        information) by DES (or other symmetric key system) and sends        DES_(K)(A_(A1)) to CA. CA decrypts the DES_(K)(A_(A1)) to get        A_(A1). After checks the validity of A_(A1), CA then sends ( k        _(A), I_(A)) to A.    -   3. (γ_(A), k _(A), I_(A)) can be sent by public channel.

Scheme 3.c:

-   1. A randomly chooses an integer k and computes α^(k), then sends it    to CA.-   2. CA randomly chooses an integer c_(A), computes γ_(A)=α^(k)α^(c)    ^(A) (mod p) and ƒ=F(γ_(A), I_(A), OP), computes k_(A) (if k_(A)=0,    then choose another c_(A))

k _(A) ≡cƒ+c _(A)(mod q).

-   -   Next CA computers K=H ((α^(k))^(c)) and k _(A)=DES_(K)(k_(A)),        then sends the triple (γ_(A), k _(A), I_(A)) to A.

-   3. A computes K=H(β^(k)), k_(A)=DES_(K)( k _(A)), and    a=k_(A)+k(mod q) (if a=0, 1, then goes back to step 1.) Then checks    if α^(a)=β^(ƒ)γ_(A). Now a is A's private key, α is A's generator    and α^(a) is A's public key. A publishes (α, I_(A), β, γ_(A), p, q)    in public domain.

-   4. Anyone can obtain A's (ID-based) implicitly certified public key    from the public domain by computing

α^(a)=β^(ƒ)γ_(A)(mod p)

Scheme 3.d:

-   1. A randomly chooses an integer k and computes α^(k), then sends it    to CA.-   2. CA randomly chooses an integer c_(A), computes γ_(A)=α^(k)α^(c)    ^(A) (mod p) and ƒ=F(γ_(A), I_(A), OP), computes k_(A) (if k_(A)=0,    then choose another c_(A))

k _(A) ≡c _(A) ƒ+c(mod q).

-   -   Next CA computers K=H((α^(k))^(c)) and k _(A)=DES_(K)(k_(A)),        then sends the    -   triple (γ_(A), k _(A), I_(A)) to A.

-   3. A computes K=H(β^(k)), k_(A)=DES_(K)( k _(A)), ƒ=F(γ_(A), I_(A),    OP), and a=k_(A)+kƒ(mod q). (if a=0, 1, then goes back to step 1.).    Then checks if α^(a)=γ_(A) ^(ƒ)β. Now a is A's private key, α is A's    generator and α^(a) is A's public key. A publishes (α, I_(A), β,    γ_(A), p, q) in public domain.

-   4. Anyone can obtain A's (ID-based) implicitly certified public key    from the public domain by computing

α^(a)=γ_(A) ^(ƒ)β(mod p)

Notes: (for Scheme 3.a, 3.c, 2.d)

-   -   1. The identity I_(A) may be chosen either by CA or by entity A    -   2. CA should authenticate the entity A. It can be done either by        presence in front of CA or by secure channel or by voice (for        example, on the phone) or by following method: In step 1, A        compute α^(k) and K=H(β^(k)), then sends α^(k) and        DES_(K)(A_(A1)) to CA. CA computes K=H((α^(k))^(c)) and decrypts        the DES_(K)(A_(A1)) to get A_(A1). After check the validity of        A_(A1), CA continues step 2.    -   3. (γ_(A), k_(A), I_(A)) can be sent by public channel.        The advantages for scheme 3.a, 3.c and 3.d are that user A can        compute K easily since β is fixed and that k_(A) is encrypted        such that no other people can know it. In fact the publicity of        k_(A) does not decrease the security of the certificate scheme.        The purpose of encrypting k_(A) is to make sure that the entity        knows k. So for scheme 3.a-3.d, the DES encryption part can be        removed and k_(A) can be replaced by k_(A) provided the        certificate scheme uses the method described in Note 2.        To save transmission bandwidth in above schemes, we can modify        above schemes by sending ƒ=F(γ_(A), I_(A), OP) in stead of γ_(A)        (Note that in general, the size of γ_(A) is large than 160 bits        and ƒ is just 160 bits.) Following scheme 4.c is a modification        of scheme 3.c.

Scheme 4.c:

-   1. A randomly chooses an integer k and computes α^(k), then sends it    to CA.-   2. CA randomly chooses an integer c_(A), computes γ_(A)=α^(k) α^(c)    ^(A) (mod p) and ƒ=F(γ_(A), I_(A), OP), computes k_(A) (if k_(A)=0,    then choose another c_(A))

k _(A) ≡cƒ+c _(A)(mod q).

-   -   Next CA computers K=H((α^(k))^(C)) and k _(A)=DES_(K)(k_(A)),        then sends the triple (ƒ, k _(A), I_(A)) to A.

-   3. A computes K=H(β^(k)), k_(A)=DES_(K)( k _(A)), and    a=k_(A)+k(mod q) (if a=0, 1, then goes back to step 1.) Then    computes γ_(A)=α^(a)β^(−ƒ)(mod p) and checks if ƒ=F(γ_(A), I_(A),    OP). Now a is A's private key, α is A's generator and α^(a) is A's    public key. A publishes (α, I_(A), β, γ_(A), p, q) in public domain.

-   4. Anyone can obtain A's (ID-based) implicitly certified public key    from the public domain by computing

α^(a)=β^(ƒ)γ_(A)(mod p)

Furthermore we can reduce the bandwidth by following scheme 5.c.

Scheme 5.c:

-   1. A randomly chooses an integer k and computes α^(k), then sends it    to CA.-   2. CA randomly chooses an integer c_(A), computes γ_(A)=α^(k)α^(c)    ^(A) (mod p) and set {circumflex over (γ)}_(A) as the first 80 least    significant bits of γ_(A). Then computes ƒ=F({circumflex over    (γ)}_(A), I_(A), OP) and k_(A) (if k_(A)=0, then choose another    c_(A))

k _(A) ≡cƒ+c _(A)(mod q).

-   -   Next CA computers K=(α^(k))^(c)(mod p) and k        _(A)=DES_(K)(k_(A)), then sends the triple ({circumflex over        (γ)}_(a), k _(A), I_(A)) to A.    -   Note: ({circumflex over (γ)}_(A), k _(A), I_(A)) can be sent by        public channel.

-   3. A computes K=β^(k)(mod p), k_(A)=DES_(K)( k _(A)), and a=k_(A)+k    (mod q) (if a=0, 1, then goes back to step 1.) Then computes    ƒ=F({circumflex over (γ)}_(A), β, I_(A)), γ_(A)=α^(a)β^(−ƒ)(mod p)    and checks if the first 80 least significant bits of γ_(A) is    {circumflex over (γ)}_(A). Now a is A's private key, α is A's    generator and α^(a) is A's public key. A publishes (α, I_(A), β,    γ_(A), p, q) in public domain.

-   4. Anyone can obtain A's (ID-based) implicitly certified public key    from the public domain by computing

α^(a)=β^(ƒ)γ_(A)(mod p)

The security level of scheme 5.c is not as other schemes we discussbefore. Scheme 5.c only has 80 bit security. But it is OK for practicalapplication Now. We can extend the first 80 least significant bits tothe half least significant bits of γ_(A).The implicit certificate can be used to certify some other usefulinformation by including the information in the option parameter OP. Forexample OP=α^(a) ^(E) ∥OP₂, where a_(E) is user A's another private keyand α^(a) ^(E) is the corresponding public key. Following scheme 6.c isa modification of scheme 2.c. Other schemes can be modified in the sameway.

Scheme 6.c:

-   1. A randomly chooses an integer a_(E) and computes α^(a) ^(E) .-   2. A randomly chooses an integer k and computes α^(k), then sends    α^(k) and α^(a) ^(E) to CA.-   3. CA randomly chooses an integer c_(A), computes γ_(A)=α^(k)α^(c)    ^(A) (mod p) and ƒ=F(γ_(A), I_(A), α^(a) ^(E) , OP₂) (for example,    F(γ_(A), I_(A), α^(a) ^(E) , OP₂)=h(γ_(A)∥I_(A)∥α^(a) ^(E) )),    computes k_(A) (if k_(A)=0, then choose another c_(A))

k _(A) ≡cƒ+c _(A)(mod q).

-   -   Then CA computers γ_(A) ¹=(α^(k))^(c) ^(A) (mod p) and sends the        triple (γ_(A) ¹, k_(A), I_(A)) to A.

-   4. A computes a=k_(A)+k (mod q). (if a=0, 1, then goes back to step    1.) and computes γ_(A)=(γ_(A) ¹)^(k) ⁻¹ α^(k)(mod p). Then checks if    α^(a)=β^(ƒ)γ_(A). Now a is A's private signing key, α is A's    generator and α^(a) is A's public signing key. a_(E) is A's private    encryption key and α^(a) ^(E) is A's public encryption key. A    publishes (α, α^(a) ^(E) , I_(A), β, γ_(A), p, q) in public domain.

-   5. Anyone can obtain A's (ID-based) implicitly certified public key    from the public domain by computing

α^(a)=β^(ƒ)γ_(A)(mod p)

Notes: (for Scheme 4.c, 5.c, 6.c)

-   1. The identity I_(A) may be chosen either by CA or by entity A-   2. CA should authenticate the entity A. It can be done by the method    described in the note 2 of scheme 3.c.    (ƒ, k _(A), I_(A)) or ({circumflex over (γ)}_(A), k_(A), I_(A)) or    (γ_(A) ¹, k_(A), I_(A)) can be sent by public channel.

CA Chaining Scheme

In order to implement a CA chaining structure. That is CA1 authenticatesCA2, CA2 authenticates CA3 and CA3 authenticates user A. In thissection, we are going to present the example with 3 CA's in the CAchain. We use basic scheme 3′ to demonstrate this example.

System Setup:

The highest trusted party CA1 selects an appropriate prime p with p=tq+1where q is a large prime and a generator α of order q. CA1 selects arandom integer c₁, with 1≦c₁≦q−1 as its private key, then computes thepublic key β₁=α^(c) ¹ mod p and publishes (β₁, α, p, q).

Phase 1. CA2 Applies for Implicit Certified Public Key from CA1.

-   -   1. CA2 randomly chooses an integer k₂ and computes α^(k) ² ,        then sends it to CA1.    -   2. CA1 choose a unique distinguished name or identity I_(CA2)        and a random integer c_(CA2) with 1≦c_(CA2)≦q−1. Then CA1        computes γ_(CA2)=α^(k) ² α^(c) ^(CA2) (mod p). (γ_(CA2) is CA2's        public key reconstruction public data.)    -   3. CA1 chooses a function ƒ₁=F(γ_(CA2), I_(CA2)) and computes        k_(CA2)(if k_(CA2)=0, then chooses another c_(CA2) in step 2 and        re-computes for k_(CA2))

k _(CA2) =c ₁ƒ₁ +c _(CA2)(mod q)

-   -   4. CA1 computes γ_(CA2) ¹=(α^(k) ² )^(c) ^(CA2) (mod p) and        sends the triple (γ_(CA2) ¹, k_(CA2), I_(CA2)) to CA2.    -   5. CA2 computes γ_(CA2)=(γ_(CA2) ¹)^(k) ² ⁻¹ α^(k) ² (mod p).        Then c₂=k_(CA2)+k₂(mod q) is CA2's private key, α is CA2's        generator and β₂=α^(c) ² is CA2's public key. CA2 publishes (α,        I_(CA2), β₁, β₂, γ_(CA2), p, q) in public domain.    -   Note: when a user trusts CA2, he/she can use β₂ directly.    -   6. Anyone can obtain CA2's (ID-based) implicitly verified public        key from the public domain by computing

β₂=α^(c) ² =β₁ ^(ƒ) ¹ γ_(CA2)(mod p)

Phase 2. CA3 Applies for Implicit Certified Public Key from CA2.

-   -   1. CA3 randomly choose an integer k₃ and computes α^(k) ³ , then        sends it to CA2.    -   2. CA2 choose a unique distinguished name or identity I_(CA3)        and a random integer c_(CA3) with 1≦c_(CA3)≦q−1. Then CA2        computes γ_(CA3)=α^(k) ³ α^(c) ^(CA3) (mod p). (γ_(CA3) is CA3's        public key reconstruction public data.)    -   3. CA2 chooses a function ƒ₂=F(γ_(CA3), I_(CA3)) and computes        k_(CA3) (if k_(CA3)=0, then chooses another c_(CA3) in step 2        and re-computes for k_(CA3)).

k _(CA3) =c ₂ƒ₂ +c _(CA3)(mod q)

-   -   4. CA2 computes γ_(CA3) ¹=(α^(k) ³ )^(c) ^(CA3) (mod p) and        sends the triple (γ_(CA3) ¹, k_(CA3), I_(CA3)) to CA3.    -   5. CA3 computes γ_(CA3)=(γ_(CA3) ¹)^(k) ³ ⁻¹ α^(k) ³ (mod p).        Then c₃=k_(CA3)+k₃(mod q) is CA3's private key, α is CA3's        generator and β₃=α^(c) ³ is CA3's public key. CA3 publishes (α,        I_(CA3), β₂, β₃, γ_(CA3), p, q) in public domain.        -   Note: when an entity trusts CA3, it can use β₃ directly.    -   6. Anyone can obtain CA3's (ID-based) implicitly verified public        key from the public domain by computing

β₃=α^(c) ³ =β₂ ^(ƒ) ² γ_(CA3)(mod p)

Phase 3. User A applies for implicit certified public key from CA3.

-   -   1. A randomly choose an integer k and computes α^(k), then sends        it to CA3.    -   2. CA3 choose a unique distinguished name or identity I_(A) and        a random integer c_(A) with 1≦c_(A)≦q−1. Then CA3 computes        γ_(A)=α^(k)α^(c) _(A)(mod p). (γ_(A) is A's public key        reconstruction public data.)    -   3. CA3 choose a careful chosen function ƒ₃=F(γ_(A), I_(A)) and        computes k_(A) (if k_(A)=0, then choose another c_(A) in step 2        and re-computes for k_(A)).

k _(A) ≡c ₃ƒ₃ +c _(A)(mod q)

-   -   4. CA3 computes γ_(A) ¹=(α^(k))^(c) ^(A) (mod p) and sends the        triple (γ_(A) ¹, k_(A), I_(A)) to A.    -   5. A computes γ_(A)=(γ_(A) ¹)^(k) ⁻¹ α^(k)(mod p). Then        a=k_(A)+k (mod q) is A's private key, α is A's generator and        β_(A)=α^(a) is A's public key. A publishes (α, I_(A), β₃, β_(A),        γ_(A), p, q) in public domain.    -   Note: when a user trusts A, he/she can use β_(A) directly.    -   6. Anyone can obtain A's (ID-based) implicitly verified public        key from the public domain by computing

β_(A)=α^(a)=β₃ ^(ƒ) ³ γ_(A)(mod p)

Phase 4. User A's Signature and Verification.

To sign a message M, user A does following:

1. randomly choose x, computes r=α_(x)(mod p).

2. computes e=ƒ_(A)=F(r,M), where F is some fixed function.

3. computes s=ae+x(mod q)

4. The signature on M is (r,s).

Verifier does following:

-   -   1. gets CA1, CA2, CA3 and User A's public data        -   (α, I_(CA2), I_(CA3) I_(A), β₁, β₂, β₃, β_(a), γ_(CA2),            γ_(CA3), γ_(A), p, q)    -   2. reconstructs user A's public key

β_(A)=β₁ ^(ƒ) ¹ ^(ƒ) ² ^(ƒ) ³ γ_(CA) ^(ƒ) ² ^(ƒ) ³ γ_(CA) ^(ƒ) ³γ_(A)(mod p)

-   -   3. computes e=ƒ_(A)=F(r,M).    -   4. computes r′=α^(s)β_(A) ^(−e)(mod p)    -   5. if r=r′, the signature is verified. At same time CA2, CA3 and        user A's (ID-bases) public key are implicitly verified.

Reconstructing user A's public key needs only 3 known basisexponentiation operations and 3 multiplication operations. When thesignature is valid, CA2, CA3 and user A's (ID-bases) public key areimplicitly verified.

Notes:

-   -   1. If verifier trusts A, Then A's public key is β_(A).    -   2. If verifier trusts CA3, Then A's reconstruction public key is        β_(A)=β₃ ^(ƒ) ³ γ_(A)(mod p)    -   3. If verifier trusts CA2, Then A's reconstruction public key is        β_(A)=β₂ ^(ƒ) ² ^(ƒ) ³ γ_(CA3) ^(ƒ) ³ γ_(A)(mod p)

Co-Signing Scheme.

The following describes a scheme that allows multiple CA's to sign ONEimplicit certificate. This is illustrated by the case where three CA'sco-sign a certificate using the basic scheme 3′.

System Setup:

Let CA1, CA2 and CA3 have a common system parameters: (1) prime p withp=tq+1 where q is a large prime; (2) a generator α of order q; (3) acareful chosen function

ƒ=F(γ,(I_(A1)+I_(A2)+I_(A3))). CA1 selects a random integer c₁, with1≦c₁≦q−1 as its private key, then computes the public key β₁=α^(c) ¹ modp and publishes (β₁, α, p, q). CA2 selects a random integer c₂, with1≦c₂≦q−1 as its private key, then computes the public key β₂=α^(c) ² modp and publishes (β₂, α, p, q). CA3 selects a random integer c₃, with1≦c₃≦q−1 as its private key, then computes the public key β₃=α^(c) ³ modp and publishes (β₃, α, p, q).

-   -   Step 1. A randomly chooses an integer k and computes α^(k), then        sends it to CA1, CA2 and CA3.    -   Step 2. CA's exchange information and compute implicit        certificates

Phase 1.

-   -   1. CA1 chooses a unique distinguished name or identity I_(A1)        and a random integer c_(A1) with 1≦c_(A1)≦q−1, computes α^(c)        ^(A1) and send (α^(c) ^(A1) , I_(A1)) to CA2, and CA3.    -   2. CA2 choose a unique distinguished name or identity I_(A2) and        a random integer c_(A2) with 1≦c_(A2)≦q−1, computes (α^(c) ^(A2)        , I_(A2)) and send α^(c) ^(A2) to CA1 and CA3.    -   3. CA3 choose a unique distinguished name or identity I_(A3) and        a random integer c_(A3) with 1≦c_(A3)≦q−1, computes (α^(c) ^(A3)        , I_(A3)) and send α^(c) ^(A3) to CA1 and CA2.

Phase 2.

-   -   1. CA1 computes γ=α^(k)α^(c) ^(A1) α^(c) ^(A2) α^(c) ^(CA3) (mod        p). (γ is A's public key reconstruction public data.), computes        ƒ=F(γ,(I_(A1)+I_(A2)+I_(A3))) and computes k_(A1) (if k_(A1)=0,        then goes back to phase 1.)

k _(A1) =c ₁ ƒ+c _(A1)(mod q)

-   -   -   CA1 computes γ_(A1) ¹=(α^(k))^(c) ^(A1) (mod p) and sends            the triple (γ_(A1) ¹, k_(A1), I_(A1)) to A.

    -   2. CA2 computes γ=α^(k)α^(c) ^(A1) α^(c) ^(A2) α^(c) ^(CA3) (mod        p). (γ is A's public key reconstruction public data.), computes        ƒ=F(γ,(I_(A1)+I_(A2)+I_(A3))) and computes k_(A2) (if k_(A2)=0,        then goes back to phase 1.)

k _(A2) =c ₂ ƒ+c _(A2)(mod q)

-   -   -   CA2 computes γ_(A2) ¹=(α^(k))^(c) ^(A2) (mod p) and sends            the triple (γ_(A2) ¹, k_(A2), I_(A2)) to A.

    -   3. CA3 computes γ=α^(k)α^(c) ^(A1) α^(c) ^(A2) α^(c) ^(CA3) (mod        p). (γ is A's public key reconstruction public data.), computes        ƒ=F(γ,(I_(A1)+I_(A2)+I_(A3))) and computes k_(A3) (if k_(A3)=0,        then goes back to phase 1.)

k _(A3) ≡c ₃ ƒ+c _(A3)(mod q)

-   -   -   CA3 computes γ_(A3) ¹=(α^(k))^(c) ^(A3) (mod p) and sends            the triple (γ_(A3) ¹, k_(A3), I_(A3)) to A.

    -   Step 3 A computes implicitly co-certified private keys and        public key reconstruction information.

    -   1. A computes a=k_(A1)+k_(A2)+k_(A3)+k(mod q). (If a is 0 or 1,        then goes back to step 1.)

    -   2. A computes γ=(γ_(A1) ¹γ_(A2) ¹γ_(A3) ¹)^(k) ⁻¹ α^(k)(mod p),        ƒ=F(γ,(I_(A1)+I_(A2)+I_(A3))). Then verifies if

α^(a)=(β₁β₂β₃)^(ƒ)γ(mod p).

-   -   3. Then a is A's implicitly co-certified private key, α is A's        generator, I_(A)=I_(A1)+I_(A2)+I_(A3) is A's common ID and        (β₁β₂β₃)^(ƒ)γ is A's implicitly co-certified public key.    -   4. A publishes (α, I_(A1), I_(A2), I_(A3), (β₁, β₂, β₃, γ, p, q)        in public domain.    -   5. Anyone can obtain A's (ID-based) implicitly co-certified        public key from the public domain by computing (β₁β₂β₃)^(ƒ)γ(mod        p)

Applications

The following examples are illustrated with respect to scheme 3 (orScheme 7′) as CA's signing equation since everyone shares the samegenerator in this scheme. Each user can have a different CA as long asthe CAs use the system parameters (p,q,d) and each user has the samegeneration.

Setup:

CA1: system parameters (α, β₁, p, q, d)

Alice has a private key a, generator α and publishes (α, I_(A), β,γ_(A), p, q) in the public domain.

CA2: system parameters (α, β₂, p, q)

Bob has a private key b, a generator α and publishes (α, I_(A), β,γ_(A), p, q) in the public domain.

We use the MTI/C0 key agreement protocol to demonstrate how to use ournew scheme. Assume Alice and Bob want to perform a key exchange.The MTPCO protocol

-   1. Alice reconstructs Bob's public key α^(b)=β^(F(γ) ^(B) ^(, I)    ^(B) ⁾γ_(B), and randomly chooses an integer x and computes    (α^(b))^(x), then sends it to Bob.-   2. Bob reconstructs Alice's public key α^(a)=β^(F(γ) ^(A) ^(, I)    ^(A) ⁾γ_(A), and randomly chooses an integer y and computes    (α^(a))^(y), then sends it to Alice.-   3. Alice computes the shared key K_(A)=(α^(ay))^(xa) ⁻¹ =α^(xy)-   4. Bob computes the shared key K_(B)=(α^(bx))^(yb) ⁻¹ =α^(xy)

This is a two-pass protocol. With the implicit certificate scheme of thepresent invention, each party only does three exponentiation operationsto get the shared key while at the same time performing anauthentication key agreement and implicit public key verification.

The following are examples of signcryption schemes. We use scheme 3 (orscheme 7) as CA's signing equation since everyone shares the samegenerator in this scheme. For the scheme thereafter, we use scheme 13 asCA's signing equation. For all schemes in this section, each user canhave a different CA as long as the CA's use the same system parameters(p,q,α) and each user has the same generator.

Setup:

CA1: system parameters (α, β₁, p, q)Alice: private key a, generator α and (α, I_(A), β₁, γ_(A), p, q) inpublic domain.CA2: system parameters (α, β₂, p, q)Bob: private key b, generator α and (α, I_(B), β₂, γ_(B), p, q) inpublic domainBob wants to send a signed and encrypted message M to Alice:

Signcryption Protocol 1:

Assume Bob wants to send a signed and encrypted message M to Alice:Bob does following:1. reconstructs Alice's public key α^(a)=β^(F)(γ ^(A) ^(, I) ^(A) ⁾γ_(A)mod p2. randomly chooses an integer x and computes a key r=(α^(a))^(x)(mod p)3. computes C=DES_(r)(M)4. computes e=hash(C I_(A))5. computes s=be+x(mod q)6. sends the pair (C,s) to Alice, thus C is the encrypted message and sis the signature.To recover the message Alice does following:1. computes e=hash(C I_(A))2. reconstructs Bob's public key α^(b)=β^(F(γ) ^(B) ^(, I) ^(B) ⁾γ_(B)mod p3. computes α^(as)(α^(b))^(−ac)(mod p) which is r4. decrypts the message M=DES_(r)(C)5. check for redundancyThus, Bob only does two exponentiation operations and Alice does threeexponentiation operations. But Alice and Bob are both confident of eachothers authentication. Note that for this scheme, the message M musthave some redundancy or pattern.

Signcryption Protocol 2 (General Case): Setup:

CA1: system parameters (α, β₁, p, q)Alice: private key a, generator α and (α, I_(A), β₁, γ_(A), p, q) inpublic domain.CA2: system parameters (α, β₂, p, q)Bob: private key b, generator α and (α, I_(B), β₂, γ_(B), p, q) inpublic domainNote: this set up is for implicit certificate. For usual certificatescheme systems, we only required that Alice and Bob has same generator.To signcrypt a message to Alice, Bob does following:

-   -   1. gets Alice's public key α^(a) (in the case of implicit        certificate scheme. reconstructs Alice's public key α^(a)=β₁        ^(Fβ) ^(F(γ) ^(A) ^(, β) ¹ ^(, I) ^(A) ⁾γ_(A)(mod p))    -   2. random choose an integer x and computes r=(α^(a))^(x)(mod p)    -   3. computes C=DES_(r)(M)    -   4. computes e=hash(C∥α^(a))    -   5. computes s=be+x(mod q)    -   6. sends (C,s) to Alice. C is the encrypted message and s is the        signature.        To recover the message Alice does following:    -   1. computes e=hash(C∥α^(a))    -   2. gets Bob's public key α^(b) (in the case of implicit        certificate scheme, reconstructs Bob's public key α^(b)=β^(Fβ)        ^(F(γ) ^(B) ^(, β) ² ^(, I) ^(B) ⁾γ_(B)(mod p))    -   3. computes α^(ab)(α^(b))^(−ae)(mod p) which is r    -   4. decrypts the message M=DES_(r)(C)

Note:

-   -   1. If the certificate scheme is not the implicit certificate as        described herein, Alice and Bob's public key should be verified.    -   2. The message M must have some redundancy or pattern.    -   3. Anyone who knows one value r can decrypt any messages from        Bob to Alice since the value α^(ab) will be exposed.    -   4. In general, we should include an option parameter to the hash        e, i.e. e=hash(C∥α^(a)∥OP). For example, OP=α^(b) or        OP=α^(b)∥β₁∥β₂.        The signcryption schemes above have a drawback that if the        signer lost his/her private signing key, then all message the        signer signcrypted will be exposed to public. To protect post        encryption we propose a new signcryption scheme. In new scheme,        each user has two pairs of key, one pair is for signature key,        another pair is encryption key. The new scheme can be used with        any certificate scheme. But if it is used with our implicit        certificate scheme, it is more efficient.

Signcryption Protocol 3 (General Case): Setup:

Alice: private signing key a and private encryption key a_(E), generatorα and

-   -   (α, α^(a) ^(E) , I_(A), β₁, γ_(A), p, q) in public domain.        CA2: system parameters (α, p, q)        Bob: private signing key b and private encryption key b_(E),        generator α and    -   (α, a^(b) ^(E) , I_(B), β₂, γ_(B), p, q) in public domain        Note: this set up is for implicit certificate using scheme 6.c.        For usual certificate scheme systems, we only required that        Alice and Bob has same generator.        To signcrypt a message to Alice, Bob does following:    -   1 gets Alice's public signing key α^(a) and public encryption        key α^(a) ^(E) (in the case of implicit certificate scheme.        reconstructs Alice's public signing key

α^(a)=β^(F(γ) ^(A) ^(,β) ¹ ^(,I) ^(A) ^(,α) ^(a) ^(E) ⁾γ_(A)(mod p))

-   -   2 random choose an integer x and computes r=(α^(a)α^(a) ^(E)        )^(x)(mod p)    -   3 computes C=DES_(r)(M)    -   4 computes e=hash(C∥α^(a)∥α^(a) ^(E) ∥α^(b)∥α^(b) ^(E) ∥OP.)    -   5 computes s=be+x+b_(E)(mod q)    -   6 sends (C,s) to Alice. C is the encrypted message and s is the        signature.        To recover the message Alice does following:    -   1. computes e=hash(C∥α^(a)∥α^(a) ^(E) ∥α^(b)∥α^(b) ^(E) ∥OP)    -   2. gets Bob's public signing key α^(b) and public encryption key        α^(b) ^(E) (in the case of implicit certificate scheme,        reconstructs Bob's public sign key α^(b)=β₂ ^(F(γ) ^(B) ^(, β) ²        ^(, I) ^(B) ^(α) ^(b) ^(E) ⁾γ_(B)(mod p))    -   3. computes α^((a+a) ^(E) ^()s)(α^(b))^(−(a+a) ^(E)        ^()e)α^(−(a+a) ^(E) ^()b) ^(E) (mod p) which is r    -   4. decrypts the message M=DES_(r)(C)

Note:

-   -   1. we can think the receiver Alice's private key is a+a_(E),        This means the receiver only needs one private key instead of        two private keys. But the sender Bob needs two private keys. In        case of normal certificate, the receiver only need one private        key.    -   2. If the certificate scheme is not the implicit certificate        described in this application, Alice and Bob's public key should        be verified.    -   3. The message M must have some redundant or pattern.    -   4. The parameter OP inside hash e=hash(C∥α^(a)∥α^(a) ^(E)        ∥α^(b)∥α^(b) ^(E) ∥OP) may be empty or OP=β₁∥β₂.    -   5. Knowing one r value does not reveal any information of the        post messages.    -   6. With implicit certificate scheme, Bob only does 2        exponentiation operations and Alice does 4 exponentiation        operations. But Alice and Bob both are confidential that each        other is authentication part.    -   7. If anyone knows Alice's private key a+a_(E), or Bob lost both        private keys, the post encrypted message can not be protected.        For normal signatures, one problem is that the signer denies        he/she signs the signature. This called repudiation. Protocol 1        and 2 above have a non-repudiation feature provided one trusts        the judge. That is the signer can not deny that he/she signed        the signcrypted message. Protocol 3 has a non-repudiation        feature even when the judge is not trusted. Next protocol        demonstrates how a judge decides a case where Bob wants to deny        the signature.

Non-Repudiation Protocol:

-   -   1. Alice sends (C,s) to Judge    -   2. Judge computes e=hash(C∥α^(a)∥α^(a) ^(E) ∥α^(b)∥α^(b) ^(E)        ∥OP) and α^(x)=α^(s)(α^(b))^(−e)α^(−b) ^(E) (Note: Alice and        Bob's two pairs of public key should be verified. In the case of        implicit certificate scheme, the public keys should be computed        from the reconstruction public data.)    -   3. Judge randomly chooses two integer r₁ and r₂ and computes        L=(α^(x))^(r) ¹ α^(r) ² and sends L to Alice    -   4. Alice computes L^(a+a) ^(E) and sends it back to Judge    -   5. Judge computes r=(L^((a+a) ^(E) ⁾(α^(a)α^(a) ^(E) )^(−r) ²        )^(r) ¹ ⁻¹ and recover the message by M=DES_(r)(C)    -   6. If M has proper format, the (C,s) must be signcrypted by Bob.    -   7. After the judge make decision, he sends the values (α^(x),        r₁, r₂, L^(a+a) ^(E) , r) to Alice and Bob to back up his        decision.        For the other two signcryption protocols the non-repudiation        protocols are similar provided one fully trust the judge.

In conclusion it may be seen that the present scheme, when combined withan application protocol for which the user's private key must be useddirectly in computation, provides an implicitly certified ID-basedpublic key of the user. These schemes can also be used for a KeyAuthentication Center (KAC) to distribute implicitly certified publickeys to users.

A further application of implicitly certified public keys is that thebit strength of the certifying authority is the same as the user orentity public keys being certified. By bit strength it is implied therelative key sizes and processing power of the entities concerned.

One approach to addressing this issue is to embed implicitly certifiedpublic keys into more traditional certificate structures such asspecified in X.509 certificates, where the signature on the certificateis at a higher bit strength than the implicitly certified public key.Hence, the CA has certified the user public key at two differentsecurity levels. Any other entity retrieving a public key can decide onwhich security level they wish to accept. In some applications it may bethat only the lower level provided by the implicit value is necessary toprovide the performance required.

While the invention has been described in connection with specificembodiments thereof and in specific uses, various modifications thereofwill occur to those skilled in the art without departing from the spiritof the invention as set forth in the appended claims. For example in theabove description of preferred embodiments, use is made ofmultiplicative notation, however the method of the subject invention maybe equally well described utilizing additive notation. It is well knownfor example that elliptic curve algorithm embodied in the ECDSA isequivalent of the DSA and that the elliptic curve analog of a discretelog logorithm algorithm that is usually described in a setting of,F*_(p): the multiplicative group of the integers modulo a prime. Thereis a correspondence between the elements and operations of the groupF*_(p) and the elliptic curve group E(F_(q)). Furthermore, thissignature technique is equally well applicable to functions performed ina field defined over F_(p) and F₂. It is also to be noted that the DSAsignature scheme described above is a specific instance of the ElGamalgeneralized signature scheme which is known in the art and thus thepresent techniques are applicable thereto.

1. A computer implemented method of a trusted entity CA facilitatinggeneration of a public key by a correspondent A in an electronic datacommunication system using implicit certificates, said method comprisingthe steps of: a cryptographic unit of said trusted entity CA selecting aunique identity I_(A) distinguishing said correspondent A; saidcryptographic unit generating public key reconstruction public dataγ_(A) for said correspondent A by mathematically combining a privatevalue of said trusted entity CA and information made public by saidtrusted entity CA to obtain a pair (I_(A), γ_(A)) serving as an implicitcertificate for said correspondent A; said cryptographic unit generatinga private key a for said correspondent A using said implicit certificateand said private value of said trusted entity CA such that said publickey is computable by combining said data γ_(A) and said private key a,wherein generating said private key a comprises generating a value ƒbeing a function of said pair (I_(A), γ_(A)) including a hash of saidpair (I_(A), γ_(A)), and evaluating said private key a from an equationcomprising ƒ and said private value of said trusted entity CA; and saidcryptographic unit providing a signature (I_(A), a, γ_(A)) to saidcorrespondent A over a secure channel of said data communication system.